Krebs on Security

In-depth security news and investigation

Posts Tagged: Ocean Bank

A decision handed down by a federal appeals court this week may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank.

The U.S. Federal Court of Appeals for the First Circuit has reversed a decision from Aug. 2011, which held that Ocean Bank (now People’s United) was not at fault for a $588,000 cyberheist in 2009 against one of its customers — Sanford, Me. based Patco Construction Co. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.

The appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing a lower court ruling that Ocean Bank’s reliance on passwords and secret questions was in line with guidance set out by federal banking regulators. A copy of the decision is here (PDF).

Charisse Castagnoli, a bank fraud expert and independent security consultant, said the decision could open the door lawsuits from small businesses that have been similarly victimized with the help of outdated security procedures at their banks.

“What this opinion offers is a strong basis for victims to challenge the security implementations of their banks regardless of whether they agreed that the implementation was ‘commercially reasonable’ at a single point in time in a ‘shrink wrap’ type contract,” Castagnoli said.

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co.filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”